Benefits of Sensor Deployment at Internet Service Providers to Mitigate Cyber Threats

Part 01

Introduction

The explosive growth of connectivity options has driven the growth of a large number of Internet users across the globe. The situation is no different in our region. This can be further confirmed by the growth
statistics available on the TRC website1. The types of malicious traffic generating to and from our local networks has a direct correlation to the threats to and from our local networks. In this context the deployment of sensors at the ISP gateway level has added benefits of monitoring and responding proactively to these threats.

What is a sensor

A sensor or a pod contains a
live CD image or a Virtual Machine that is containing the sensor software. The target of deploying sensors is to build a network of pods or sensors to that can securely and anonymously help provide actionable intelligence
to the Internet security community.It can act as a passive data collection facility for many common applications such as HTTP servers or if expressly permitted, can help actively monitor malicious Internet activity. No sensor partner or sensor specific information is ever shared outside the core network.

Types of sensors available

There are a number of organizations
providing these sensors as a free service but the service is provided based on trustworthiness and reliability. The partners are screened by the sensor/pod provider to ensure the integrity of the network. The partners have a definite advantage over the general public regarding threat intelligence. Here are some of the organisations that deploy Sensors in
order to provide intelligence to the internet security community;

1. The Dragon Research Group (DRG) 2

The DRG is a not-for-profit, non-revenue generating entity, comprised of a geographically dispersed set of trusted volunteers who are passionate about making the Internet more secure. Selected volunteers are part of a
group that will have access to the data and tools that can really make a difference in the fight against online crime.

2. TSUBAME (Internet threat monitoring
system) from JPCERT | CC

TSUBAME has a wide distributed arrangement of sensors, and observes various scan activities in the Asia Pacific region; worm infections,
probing vulnerable systems, etc.JPCERT/CC provides summarized scan trends (graphs) by using the data observed in TSUBAME. Moreover, the observed data are used as a basis of
JPCERT/CC activities for publishing alerts and advisories, security awareness documents, etc.

3. Shadow Server

Shadow Server Foundation collects data from its worldwide sensors and provides reports on malicious activities to the responsible network
operators as a subscription service.

4. Team Cymru

Team Cymru Inc. is a specialized Internet security research firm dedicated to making the Internet more secure. Team Cymru helps organisations identify and eradicate problems in their networks,
providing insights that improve lives.

How to deploy a sensor in your network

For example TSUBAME sensors are placed over various address blocks in the Asia Pacific region; on the edge of DSL lines, near the Internet Exchanges, etc. These sensors watch TCP, UDP, and ICMP packets coming
through the Internet.

Figure 1: The method of collecting attack traffic and reporting

These sensors are to be placed outside the organization’s Firewall and a
public IP is required for proper operation of the sensor.A threat monitoring system will correlate and analyze traffic from multiple sensors in-order to get a higher accuracy on the alert. This
enables efficient coordinated response from the victim end.How a sensor identifies malicious traffic

Attack traffic or scans originate from multiple sources these could be intentional or unintentional. They include compromised servers, malicious attackers, infected network devices etc. In
the case of the Shadow Server Network, they capture and filter data received from sensors across the world. These data are analyzed through an engine which defines the type of attack traffic. Figure 2 illustrates a
similar report generated by the TSUBAME sensors.

Figure 2: The graph publicized on the web shows the top five accessed ports, based on the average number of packet counts per sensor by quarter and by year, respectively.A threat monitoring and visualization system (TMVS) could be deployed at
the back-end to analyze and alert the relevant networks.

Kanishka Yapa
Senior Information Security EngineerSri Lanka CERT|CC

In bound Threats to Sri Lanka during June 2013

This graph was obtained from
the Threat Visualization and Analysis System (TVAS) which monitors inbound and outbound threats to Sri Lanka. The graph shows a large increase of inbound threats during the first week of June. The largest number of threats amounting to 240 has come from mainland China. These
include port scans targeting local IP's. The second largest threats are coming from USA and have recorded more than 40 during the first week. On the 13th of July this number has increased to more than 40. The other countries the threats are coming from include Germany, Korea, Russia and
Taiwan.

'....ICS-CERT received a report from a gas compressor station owner about
an increase in brute force attempts to access their process control network.ICS-CERT posted an alert on the US-CERT secure portal (Control Systems Center), containing 10 IP addresses, to warn other critical infrastructure
asset owners, especially in the natural gas industry, to watch for similar activity. That alert elicited additional reports from critical infrastructure owners who, using the indicators in the alert, had
discovered similar brute force attempts to compromise their networks. Those new reports yielded39 new IP addresses, which ICS-CERT included in an update to the original
alert (also posted on the secure portal)......'

'....Britain is seeing about 70 sophisticated cyber espionage operations
a month against government or industry networks, British intelligence has told the BBC.GCHQ director Sir Iain Lobban said business secrets were being stolen on an "industrial scale".Foreign hackers have penetrated some firms for up to two years, he said.Foreign intelligence services are behind many of these attacks, according
to Britain's Security Service MI5......'

'....Government agencies, telecom and energy organizations in the Middle East are being targeted by espionage malware known as njRAT.The remote access Trojan is thorough in its data-stealing capabilities.
Beyond dropping a keylogger, variants are capable of accessing a computer?s camera, stealing credentials stored in browsers, opening reverse shells, stealing files, manipulating processes and viewing the user?s desktop......'

'....France's foreign intelligence service intercepts computer and telephone data on a vast scale, like the controversial US Prism
programme, according to the French daily Le Monde.The data is stored on a supercomputer at the headquarters of the DGSE intelligence service, the paper says.The operation is "outside the law, and beyond any proper supervision",
Le Monde says.Other French intelligence agencies allegedly access the data secretly......'

'....RedHack has been highly
involved in the protests that started in Turkey after authorities announced their intentions to destroy the Gezi Park in Istanbul. Over the past days, the hackers have breached the systems of Turkey?s Directorate
of Religious Affairs and the ones of the Istanbul Special Provincial Administration.In light of recent events, Turkish police are said to have submitted a report to the Istanbul Prosecution?s Office in which they
identify the hacktivist group as a ?cyber terrorist organization,?.....'

'....In a blog post today, Twitter announced that they're "experimenting with new ways of targeting ads," which is their way of saying they're planning to track you around the web?even when you
leave Twitter?and relay that information to advertisers to craft better ads. Here's how to opt out......'

'....Several models of Emergency Alert System decoders, used to break into TV and radio broadcasts to announce public safety warnings, have
vulnerabilities that would allow hackers to hijack them and deliver fake messages to the public,according to an announcement by a security firm on Monday.The vulnerabilities included a private root SSH key that was
distributed in publicly available firmware images that would have allowed an attacker with SSH access to a device to log in with root privileges and issue fake alerts or disable the system.IOActive principal research scientist Mike Davis uncovered the vulnerabilities in the application servers of two digital alerting systems known as DASDEC-I and DASDEC-II.
The servers are responsible for receiving and authenticating emergency alert messages......'

'.... In March 2011, a team of scholars at the University of Washington joined with colleagues from the University of California-San Diego, in a technical paper entitled "Comprehensive Experimental Analyses of Automotive Attack Surfaces."
They prepared it for the National Academy of Sciences (NAS) committee on electronic vehicle controls and unintended acceleration.Dirk Besenbruch, engineer, group leader of Systems & Applications, Automotive, at NXP
Semiconductors, recalls the paper as a wakeup call. "It triggered our work at NXP" on automotive security, he said in a recent phone conversation with EE Times.The academics' point was to debunk automotive
industry skepticism about the hackability of on-board electronics. The industry's conventional wisdom was that "to implement an attack, the attacker would need to physically connect attack hardware to the car's
internal computer network."That got the university researchers going. They ran "a systematic and empirical analysis of the remote attack surface of late model mass-production sedan," according to the authors......'

'....Last week, researchers from Bluebox Security have made a disconcerting
revelation: Google's Android mobile OS carries a critical bug that allows attackers to modify the code of any app without breaking its cryptographic signature, and thusly allows them to stealthily plant malicious apps on
legitimate app stores and users' phones.The good news is that the bug
hasn't, so far, been spotted being exploited in the wild, but that might
soon change as security researcher Pau Oliva published has
proof-of-concept code that can exploit it......'